Explore memory forensics techniques and the Rekall Memory Forensic Framework in this 53-minute conference talk from BSides Augusta 2015. Learn about evidence in memory, investigative methodology for identifying malware, and interactive Rekall sessions. Discover process enumeration methods, advantages of baselining, and how to detect rootkit behaviors. Gain insights into live analysis techniques and the AFF4 volume format. Enhance your skills in digital forensics and malware detection through practical demonstrations and real-world use cases.
Overview
Syllabus
Intro
You are Freaking Awesome!
Memory Forensics IRL
Evidence in Memory
Rekall Memory Forensic Framework
Investigative Methodology: Use Case: Identifying Malware
Interactive Rekall Session
Profile Auto-detection
Session Caching
Process Enumeration pslist Using Volatility
Process Enumeration with Rekall Choose Your Poison Rekall's PSList Methods of Enumeration
Process Scanning with Rekall Output Options
Advantages of Baselining: "Know Normal, Find Evil."
MBR Persistence
Memory Analysis with Rekall Step 1: Identify Roque Processes
Know Normal (Windows Processes), Find Evil
Step 3: Network Connections
Signs of Code Injection
Detect Rootkit Behaviors
Memory Analysis with Rekall Step 6: Acquisition of Notable Findings
AFF4 Volume Format
Live Analysis with Rekall (1)
Live Analysis with Rekall (3) Acquisition
References
